APP脱壳方法三
第一步
手机启动frida服务
第二步
手机打开要脱壳的app
第三步编辑hook代码
agent.js
/*
* Author: hluwa <hluwa888@gmail.com>
* HomePage: https://github.com/hluwa
* CreatedTime: 2020/1/7 20:44
* */
var enable_deep_search = false;
function verify_by_maps(dexptr, mapsptr) {
var maps_offset = dexptr.add(0x34).readUInt();
var maps_size = mapsptr.readUInt();
for (var i = 0; i < maps_size; i++) {
var item_type = mapsptr.add(4 + i * 0xC).readU16();
if (item_type === 4096) {
var map_offset = mapsptr.add(4 + i * 0xC + 8).readUInt();
if (maps_offset === map_offset) {
return true;
}
}
}
return false;
}
function get_dex_real_size(dexptr, range_base, range_end) {
var dex_size = dexptr.add(0x20).readUInt();
var maps_address = get_maps_address(dexptr, range_base, range_end);
if (!maps_address) {
return dex_size;
}
var maps_end = get_maps_end(maps_address, range_base, range_end);
if (!maps_end) {
return dex_size;
}
return maps_end - dexptr
}
function get_maps_address(dexptr, range_base, range_end) {
var maps_offset = dexptr.add(0x34).readUInt();
if (maps_offset === 0) {
return null;
}
var maps_address = dexptr.add(maps_offset);
if (maps_address < range_base || maps_address > range_end) {
return null;
}
return maps_address;
}
function get_maps_end(maps, range_base, range_end) {
var maps_size = maps.readUInt();
if (maps_size < 2 || maps_size > 50) {
return null;
}
var maps_end = maps.add(maps_size * 0xC + 4);
if (maps_end < range_base || maps_end > range_end) {
return null;
}
return maps_end;
}
function verify(dexptr, range, enable_verify_maps) {
if (range != null) {
var range_end = range.base.add(range.size);
// verify header_size
if (dexptr.add(0x70) > range_end) {
return false;
}
// In runtime, the fileSize is can to be clean, so it's not trust.
// verify file_size
// var dex_size = dexptr.add(0x20).readUInt();
// if (dexptr.add(dex_size) > range_end) {
// return false;
// }
if (enable_verify_maps) {
var maps_address = get_maps_address(dexptr, range.base, range_end);
if (!maps_address) {
return false;
}
var maps_end = get_maps_end(maps_address, range.base, range_end);
if (!maps_end) {
return false;
}
return verify_by_maps(dexptr, maps_address)
} else {
return dexptr.add(0x3C).readUInt() === 0x70;
}
}
return false;
}
rpc.exports = {
memorydump: function memorydump(address, size) {
return new NativePointer(address).readByteArray(size);
},
switchmode: function switchmode(bool) {
enable_deep_search = bool;
},
scandex: function scandex() {
var result = [];
Process.enumerateRanges('r--').forEach(function (range) {
try {
Memory.scanSync(range.base, range.size, "64 65 78 0a 30 ?? ?? 00").forEach(function (match) {
if (range.file && range.file.path
&& (// range.file.path.startsWith("/data/app/") ||
range.file.path.startsWith("/data/dalvik-cache/") ||
range.file.path.startsWith("/system/"))) {
return;
}
if (verify(match.address, range, false)) {
var dex_size = get_dex_real_size(match.address, range.base, range.base.add(range.size));
result.push({
"addr": match.address,
"size": dex_size
});
}
});
if (enable_deep_search) {
Memory.scanSync(range.base, range.size, "70 00 00 00").forEach(function (match) {
var dex_base = match.address.sub(0x3C);
if (dex_base < range.base) {
return
}
if (dex_base.readCString(4) != "dex\n" && verify(dex_base, range, true)) {
var real_dex_size = get_dex_real_size(dex_base, range.base, range.base.add(range.size));
result.push({
"addr": dex_base,
"size": real_dex_size
});
}
})
} else {
if (range.base.readCString(4) != "dex\n" && verify(range.base, range, true)) {
// console.log("range.base=" + range.base);
var real_dex_size = get_dex_real_size(range.base, range.base, range.base.add(range.size));
// console.log("range.base=" + range.base + ", real_dex_size=" + real_dex_size);
result.push({
"addr": range.base,
"size": real_dex_size
});
}
}
} catch (e) {
}
});
return result;
}
};
第四步
运行脱壳代码
# Author: hluwa <hluwa888@gmail.com>
# HomePage: https://github.com/hluwa
# CreatedTime: 2020/1/7 20:57
import hashlib
import os
import random
import sys
try:
from shutil import get_terminal_size as get_terminal_size
except:
try:
from backports.shutil_get_terminal_size import get_terminal_size as get_terminal_size
except:
pass
import click
import frida
import logging
import traceback
logging.basicConfig(level=logging.INFO,
format="%(asctime)s %(levelname)s %(message)s",
datefmt='%m-%d/%H:%M:%S')
banner = """
----------------------------------------------------------------------------------------
____________ ___________ ___ ______ _______ _______
| ___| ___ \_ _| _ \/ _ \ | _ \ ___\ \ / / _ \
| |_ | |_/ / | | | | | / /_\ \______| | | | |__ \ V /| | | |_ _ _ __ ___ _ __
| _| | / | | | | | | _ |______| | | | __| / \| | | | | | | '_ ` _ \| '_ \
| | | |\ \ _| |_| |/ /| | | | | |/ /| |___/ /^\ \ |/ /| |_| | | | | | | |_) |
\_| \_| \_|\___/|___/ \_| |_/ |___/ \____/\/ \/___/ \__,_|_| |_| |_| .__/
| |
|_|
https://github.com/hluwa/FRIDA-DEXDump
----------------------------------------------------------------------------------------
"""
md5 = lambda bs: hashlib.md5(bs).hexdigest()
def show_banner():
try:
if get_terminal_size().columns >= len(banner.splitlines()[1]):
for line in banner.splitlines():
click.secho(line, fg=random.choice(['bright_red', 'bright_green', 'bright_blue', 'cyan', 'magenta']))
except:
pass
def get_all_process(device, pkgname):
return [process for process in device.enumerate_processes() if pkgname in process.name]
def search(api):
"""
"""
matches = api.scandex()
for info in matches:
click.secho("[DEXDump] Found: DexAddr={}, DexSize={}"
.format(info['addr'], hex(info['size'])), fg='green')
return matches
def dump(pkg_name, api, mds=None):
"""
"""
if mds is None:
mds = []
matches = api.scandex()
for info in matches:
try:
bs = api.memorydump(info['addr'], info['size'])
md = md5(bs)
if md in mds:
click.secho("[DEXDump]: Skip duplicate dex {}<{}>".format(info['addr'], md), fg="blue")
continue
mds.append(md)
if not os.path.exists("./" + pkg_name + "/"):
os.mkdir("./" + pkg_name + "/")
if bs[:4] != b"dex\n":
bs = b"dex\n035\x00" + bs[8:]
with open(pkg_name + "/" + info['addr'] + ".dex", 'wb') as out:
out.write(bs)
click.secho("[DEXDump]: DexSize={}, DexMd5={}, SavePath={}/{}/{}.dex"
.format(hex(info['size']), md, os.getcwd(), pkg_name, info['addr']), fg='green')
except Exception as e:
click.secho("[Except] - {}: {}".format(e, info), bg='yellow')
def stop_other(pid, processes):
try:
for process in processes:
if process.pid == pid:
os.system("adb shell \"su -c 'kill -18 {}'\"".format(process.pid))
else:
os.system("adb shell \"su -c 'kill -19 {}'\"".format(process.pid))
except:
pass
def choose(pid=None, pkg=None, spawn=False, device=None):
if pid is None and pkg is None:
target = device.get_frontmost_application()
return target.pid, target.identifier
for process in device.enumerate_processes():
if (pid and process.pid == pid) or (pkg and process.name == pkg):
if not spawn:
return process.pid, process.name
else:
pkg = process.name
break
if pkg and spawn and device:
pid = device.spawn(pkg)
device.resume(pid)
return pid, pkg
raise Exception("Cannot found <{}> process".format(pid))
if __name__ == "__main__":
show_banner()
try:
device = frida.get_usb_device()
except:
device = frida.get_remote_device()
if not device:
click.secho("[Except] - Unable to connect to device.", bg='red')
exit()
pid = -1
pname = ""
try:
pid, pname = choose(device=device)
except Exception as e:
click.secho("[Except] - Unable to inject into process: {} in \n{}".format(e, traceback.format_tb(
sys.exc_info()[2])[-1]), bg='red')
exit()
print(pname)
processes = get_all_process(device, pname)
mds = []
for process in processes:
logging.info("[DEXDump]: found target [{}] {}".format(process.pid, process.name))
stop_other(process.pid, processes)
session = device.attach(process.pid)
path = os.path.dirname(sys.argv[0])
path = path if path else "."
script = session.create_script(open(path + "/agent.js").read())
script.load()
dump(pname, script.exports, mds=mds)
script.unload()
session.detach()
exit()
APP脱壳方法三的更多相关文章
- 快速定位 Android APP 当前页面的三种方法(Activity / Fragment)
方法一.通过adb命令打印当前页面: Android 如何快速定位当前页面是哪个Activity or Fragment (1)查看当前Activity :adb shell "dumpsy ...
- Android常见App加固厂商脱壳方法的整理
目录 简述(脱壳前学习的知识.壳的历史.脱壳方法) 第一代壳 第二代壳 第三代壳 第N代壳 简述 Apk文件结构 Dex文件结构 壳史 壳的识别 Apk文件结构 Dex文件结构 壳史 第一代壳 Dex ...
- App元素定位三种方法
来自博客: http://testingpai.com/article/1595507262082 以下方法操作前必须确保有手机设备连入电脑,检测是否有手机连入命令 adb devices 第一种:A ...
- 彩贝网app破解登入参数(涉及app脱壳,反编译java层,so层动态注册,反编译so层)
一.涉及知识点 app脱壳 java层 so层动态注册 二.抓包信息 POST /user/login.html HTTP/1.1 x-app-session: 1603177116420 x-app ...
- Android APP压力测试(三)之Monkey日志自动分析脚本
Android APP压力测试(三) 之Monkey日志自动分析脚本 前言 上次说要分享Monkey日志的分析脚本,这次贴出来分享一下,废话不多说,请看正文. [目录] 1.Monkey日志分析脚本 ...
- Android抓包方法(三)之Win7笔记本Wifi热点+WireShark工具
Android抓包方法(三) 之Win7笔记本Wifi热点+WireShark工具 前言 做前端测试,基本要求会抓包,会分析请求数据包,查看接口是否调用正确,数据返回是否正确,问题产生是定位根本原因等 ...
- Django 2.0.1 官方文档翻译: 编写你的第一个 Django app,第三部分(Page 8)
编写你的第一个 Django app,第三部分(Page 8)转载请注明链接地址 本页教程接前面的第二部分.我们继续开发 web-poll app,我们会专注于创建公共接口上 -- "视图& ...
- Android应用APP脱壳笔记
[TOC] 天下游 模拟定位技术点简析 通过代码分析初步猜测模拟定位用到的几处技术点: 获取了Root权限 通过反射获取 android.os.ServiceManager 对应的函数 getServ ...
- 总结Themida / Winlicense加壳软件的脱壳方法
总结下Themida/ Winlicense (TM / WL) 的脱壳方法. 1, 查看壳版本,这个方法手动也可以,因为这个壳的版本号是写在程序里面的,在解压后下断点即可查看,这里有通用的脚本,我 ...
随机推荐
- [剑指Offer]65-不用加减乘除做加法
题目 写一个函数,求两个整数之和,要求在函数体内不得使用+.-.*./四则运算符号. 题解 用位运算模拟加法的三步: 无进位加法:异或运算. 进位:与运算再左移一位. 直到进位为0结束. 代码 pub ...
- vue父子组件状态同步的最佳方式续章(v-model篇)
大家好!我是木瓜太香!一名前端工程师,之前写过一篇<vue父子组件状态同步的最佳方式>,这篇文章描述了大多数情况下的父子组件同步的最佳方式,也是被开源中国官方推荐了,在这里表示感谢! 这次 ...
- css3 压缩及验证工具
1.css w3c统一验证工具 网址:http://www.csstats.com/ 如果你想要更全面的,这个神奇,你值得拥有: w3c统一验证工具:http://validator.w3.org/u ...
- 说说我对 WSGI 的理解
先说下 WSGI 的表面意思,Web Server Gateway Interface 的缩写,即 Web 服务器网关接口. 之前不知道 WSGI 意思的伙伴,看了上面的解释后,我估计也还是不清楚,所 ...
- Salesforce Javascript(一) Promise 浅谈
本篇参看: https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Global_Objects/Promise https ...
- 1.KafKa-介绍
- APS定时任务框架
一.安装与简介 1.安装 pip install apscheduler 官方文档:https://apscheduler.readthedocs.io/en/latest/# 2.简介 APSche ...
- Jenkins打Docker镜像推送到私有仓库
Jenkins打Docker镜像推送到私有仓库 因为我的Jenkins是安装在群晖NAS中的docker,所以我这边就以Docker安装Jenkins为例 echo '================ ...
- 查看 JVM 参数的默认值
查看初始默认值:-XX:+PrintFlagsInitial HuandeMacBook-Air:~ huanliu$ java -XX:+PrintFlagsInitial [Global flag ...
- Tensorflow图级别随机数设置-tf.set_random_seed(seed)
tf.set_random_seed(seed) 可使得所有会话中op产生的随机序列是相等可重复的. 例如: tf.set_random_seed(1234) a = tf.random_unifor ...